The road to cybersecurity resilience will include cultivating strong industry partnerships, strengthening CISA, and putting DHS into a series of 60-day “sprints” to focus on “the most important and most urgent priorities needed to achieve our goals,” Homeland Security Secretary Alejandro Mayorkas said today.
“The government does not have the capacity to achieve our nation’s cyber resilience alone,” Mayorkas in an address at the RSA Conference. “So much of our critical infrastructure is in the private sector’s hands… our government got hacked last year and we didn’t know about it for months. It wasn’t until one of the world’s best cybersecurity companies got hacked itself and alerted the government that we found out. This incident is one of many that underscores a need for the federal government to modernize cybersecurity defenses and deepen our partnerships.”
The secretary outlined five principles as “foundational for how we think about our work,” beginning with not using cybersecurity “as a pretext to infringe on civil liberties and human rights.”
“Second, we must fundamentally shift our mindset and acknowledge that defense must go hand-in-hand with resilience,” he said. “Bold and immediate innovations, wide-scale investments, and raising the bar of essential cyber hygiene are urgently needed to improve our cyber defenses. We need to prioritize investments inside and outside of government accordingly.”
The Biden administration “is working on nearly a dozen actions for an upcoming executive order,” Mayorkas said, to “improve in the areas of detection, information sharing, modernizing federal cybersecurity, federal procurement, and federal incident response” while ensuring “the federal government must lead by example at a time when the stakes are so high.”
“Pursuing cyber resilience requires a third principle, namely a focus on a risk-based approach. Determining what risks to prioritize and how to allocate limited resources is crucial to maximizing the government’s impact. A fact-based framework needs to guide the assessment of risk at home and abroad,” he continued.
“Relatedly, addressing the most important risks is a shared responsibility. We must strengthen collaboration between the private sector and government to generate the insights necessary to detect malicious cyber actors.”
The final principle, the secretary said, is “to integrate diversity, equity, and inclusion – or DEI – throughout every aspect of our work” which “requires the recruitment, development, and retention of diverse talent.”
The Cybersecurity and Infrastructure Security Agency is at the core of the five principles, he added.
“As some have said, the government needs a quarterback on its cybersecurity team. CISA is that quarterback,” Mayorkas said. “Among my top priorities as secretary is to strengthen CISA to execute its mission. I am particularly grateful to Congress for further empowering CISA in recent months by providing it with additional authorities and resources.”
Those new authorities Congress provided to CISA “will enable it to proactively hunt for intruders on civilian federal government networks, shortening the amount of time they remain undetected,” he added. “Once detected, CISA will continue to take action and work with civilian federal agencies to minimize risk. CISA is also expanding its ability to offer shared services based on security-by-design for these agencies. This will raise the bar and make it harder for malicious hackers to gain access in the first instance.”
Mayorkas praised CISA as the “private sector’s most trusted interlocutor” and “clearly best positioned to be the tip of the spear and the front door for the U.S. government’s engagement with industry on cybersecurity.”
“We will therefore soon launch an awareness campaign to ensure private companies – large and small – know of the resources and services CISA has to offer. We also plan to launch an expanded cybersecurity grant program to facilitate and support the adoption of those services,” he said. “With its strong and deep network of partnerships, CISA is the ideal nexus for the government to mobilize action and advance cyber resilience across all sectors and at every level of government. CISA’s role in leading national efforts to secure the 2020 election illustrates what we can accomplish through strong partnerships, a clear vision, and an appropriate sense of urgency.”
“Looking ahead, expanding CISA’s footprint across the country will be critical to institutionalize and maximize its network of partnerships. CISA is already moving ahead with placing State Cybersecurity Coordinators across the country, deepening its longstanding relationships from coast to coast. The department is also working on a proposal for a Cyber Response and Recovery Fund that will further augment CISA’s ability to provide assistance to state, local, tribal, and territorial governments.”
Mayorkas said the administration’s forthcoming National Cyber Director – a newly created Senate-confirmed position – will play a large role, as DHS also works to “empower” the Transportation Security Administration to increase the cyber resilience of transportation systems “from rail to pipelines” and ensures the U.S. Secret Service and ICE’s Homeland Security Investigations “remain well positioned to combat 21st century crimes.”
“DHS must lead by example. We must have our own house in order before we can expect others to heed our advice. We must model what effective partnerships look like. We must ensure our own workforce is reflective of the communities we serve,” he said, announcing 60-day “sprints” focused on “the most important and most urgent priorities needed to achieve our goals” — intended to “mobilize action by elevating existing efforts, removing roadblocks, and launching new initiatives where necessary” — as well as “four medium-term priorities that will receive my sustained attention over the longer term.”
“Each sprint has a dedicated action plan to drive action within the department and energize our engagement with partners in the private and public sectors, both domestically and internationally,” he said.
The first sprint will focus on the fight against ransomware, which Mayorkas said “now poses a national security threat” — citing attacks on healthcare infrastructure as a life-or-death example.
“We will do everything we can to prevent and respond to these horrendous acts. And we call on others around the world to do the same,” he said, noting DHS’ upcoming awareness campaign and industry engagement on ransomware. “With respect to responding to ransomware attacks, we will strengthen our capabilities to disrupt those who launch them and the marketplaces that enable them.”
The second sprint will launch next month and is focused on the supporting the current cybersecurity workforce and building the cyber workforce of the future. A DHS Honors Program will be launched with an initial focus on cybersecurity and DHS will publish diversity data while encouraging the hiring of diverse talent.
Later this summer, the third sprint will begin with a focus on improving the resilience of industrial control systems. “The cybersecurity incident at the water treatment facility in Florida last month was a powerful reminder of the substantial risks we need to address,” Mayorkas said, adding that “the last three sprints for the coming year will focus on better protecting our transportation systems, safeguarding election security, and advancing international capacity-building.”
Mayorkas is also prioritizing “resilience of our democratic infrastructures” and strengthening supply chains. “The exploitation of SolarWinds highlighted that we need to think about supply chain risks holistically,” he said. “While some risks are clearly associated with certain foreign companies and governments, we need a risk-based approach to ensure we address all systemic supply chain risks. Bearing in mind that 100 percent cybersecurity is not possible, this includes considering zero trust architectures where needed to reach the level of resilience required.”
DHS also has to “get ahead of the curve and think long-term,” the secretary said, as “it is imperative to dedicate senior leadership attention to strategic, on-the-horizon issues.”
“For example, the transition to post-quantum encryption algorithms is as much dependent on the development of such algorithms as it is on their adoption. While the former is already ongoing, planning for the latter remains in its infancy. We must prepare for it now to protect the confidentiality of data that already exists today and remains sensitive in the future,” Mayorkas said. “This is a priority and DHS will start developing a plan for how it can help facilitate this transition. Considering the scale, implementation will be driven by the private sector, but the government can help ensure the transition will occur equitably, and that nobody will be left behind.”